Lignes directrices pour l'audit des SMSI
|Date de publication||2011|
|Nombre de pages (corps du document)||27|
|Nombre de pages (annexes)||0|
|Traduction en français||Non|
ISO 27007 : Guide pour l'audit de Systèmes de Management de la Sécurité de l'Information (SMSI).
This International Standard provides guidance on conducting ISMS audits, as well as guidance on the competence of information security management system auditors, in addition to the guidance contained in ISO 19011.
It is applicable to all organizations needing to conduct internal or external audits of an ISMS or to manage an ISMS audit programme.
Cette norme s'appuiera sur la nouvelle version de la Norme ISO 19011 qui fixe les lignes directrices pour l'audit des systèmes de management de la qualité et de management environnemental.
Justification de cette norme ISO 27006
This standard is intended to provide guidance to those who audit an organization's ISMS based on ISO/IEC 27001.
It provides a basis for a standardized approach to ISMS audits.
ISMS auditors need to be able to identify whether the requirements in ISO/IEC 27001 have been complied with. ISO 19011 provides generic guidance on management system audits, but there is a market requirement to provide ISMS specific guidance for auditors, for example in areas such as :
- confirming ISMS scopes;
- checking that an appropriate risk assessment approach has been adopted;
- examination of the results of risk assessments;
- checking that an appropriate selection of controls in accordance with the risk treatment decisions
have been undertaken;
- collection of objective evidence regarding the implementation of controls;
- development of ISMS audit trails;
- conducting ISMS audits for certification, based on ISO/IEC 27006.